RiskFortress — Private Risk Intelligence
Classified Protocol Document

Privacy & Data Sovereignty Protocols

Document Reference: RF/LEGAL/PRIVACY/2026-001

Effective Date: April 20, 2026  |  Jurisdiction: Greater Noida, Uttar Pradesh, India

This document constitutes the binding Privacy & Data Sovereignty Protocol of RiskFortress Intelligence, a Mayalok Ventures entity, DPIIT Registered, operating from Pari Chowk, Greater Noida, Uttar Pradesh 201310, India (hereinafter “RiskFortress”, “we”, or “us”). This Protocol governs the collection, processing, storage, transfer, and deletion of all non-public and confidential information entrusted to RiskFortress by its Clients. By engaging our services or accessing riskfortress.in, you acknowledge, accept, and are legally bound by the terms herein.

Article I — Interpretation & Definitions

For the purposes of this Protocol, the following terms shall have the meanings ascribed to them herein. All defined terms shall apply equally to their singular and plural forms.

  • “Client” means any individual, corporate entity, family office, trust, or institution that has engaged RiskFortress under a signed Statement of Work, intake form submission, or written engagement mandate, possessing minimum assets of ₹100 Crore (Indian Rupees One Hundred Crore) under active management or ownership.
  • “Intelligence Data” means all raw, processed, or derived data — including but not limited to OSINT findings, forensic artifacts, financial profiling outputs, geospatial analysis, corporate registry extracts, and threat assessments — compiled or generated by RiskFortress in the course of a Client engagement.
  • “Forensic Artifacts” means digital or physical evidentiary materials, including document metadata, network traffic logs, registry entries, timestamps, hash values, chain-of-custody records, and any derivative analysis thereof.
  • “Sovereign Data” means any Intelligence Data or Client-submitted information that is subject to the data sovereignty principles of the Republic of India, processed and stored within India-based infrastructure under Indian law.
  • “Sensitive Personal Data or Information (SPDI)” has the meaning ascribed under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including financial information, biometric data, health data, passwords, sexual orientation, and related categories.
  • “Processing” means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
  • “Data Principal” means the natural person to whom personal data relates, as defined under the Digital Personal Data Protection Act, 2023.
  • “Data Fiduciary” means RiskFortress Intelligence (a Mayalok Ventures entity), which determines the purpose and means of Processing of personal data, as defined under the Digital Personal Data Protection Act, 2023.

Article II — Collection of Non-Public Information

RiskFortress collects, processes, and analyzes the following categories of non-public information exclusively for the performance of mandated intelligence services:

2.1 — Categories of Data Collected

  • Biometric Data: Facial recognition patterns, fingerprint data, voiceprint analysis, and behavioral biometrics — only where explicitly authorized under a signed engagement protocol and applicable law.
  • Financial Data: Asset valuations, banking relationships, shareholding structures, beneficial ownership chains, investment portfolios, tax filings, credit profiles, and cross-border financial flows.
  • Geospatial Data: Property ownership records, travel patterns, location history derived from publicly available and lawfully obtained sources, and real-time geospatial threat mapping.
  • OSINT Vectors: Publicly available social media footprints, court and litigation records, corporate registry filings (MCA, NCLT, BSE/NSE disclosures), property registration data, academic credentials, and professional association memberships — accessed through lawful open-source intelligence methods.

2.2 — Method of Collection

Information is collected through: (a) Client-submitted intake forms and engagement documents; (b) Lawful OSINT methodologies; (c) Authorized third-party data providers operating under applicable Indian law; (d) Public registries, court records, and statutory filings; and (e) Technical intelligence and network analysis tools where contractually authorized.

2.3 — Voluntarily Submitted Information

Any information submitted voluntarily by the Client through our secure intake portal, encrypted communications, or direct engagement is treated as Confidential Information and processed exclusively for the stated engagement purpose.

2.4 — Minors & Children’s Data

RiskFortress does not knowingly collect, process, or retain personal data of individuals below the age of 18 years. Our services are designed exclusively for adult corporate entities, institutional mandates, and senior executives. If minor data is inadvertently collected in the course of an engagement, it will be permanently deleted without retention or further processing upon identification. Clients expressly warrant that no information submitted to RiskFortress pertains to individuals below 18 years of age, absent specific legal mandate requiring otherwise.

Article III — Website Analytics & Cookie Policy

riskfortress.in employs Cloudflare Web Analytics exclusively for website security, performance monitoring, and traffic analysis. The following conditions govern this usage:

  • No Personally Identifiable Information (PII) is collected through the website analytics layer.
  • Cloudflare Web Analytics operates on a privacy-first architecture — it does not use cookies, browser fingerprinting, or cross-site tracking mechanisms. Aggregate data only is processed.
  • Clients and visitors may disable cookies through their browser settings at any time without any loss of access to riskfortress.in or degradation of service.
  • RiskFortress does not use, deploy, or permit: advertising networks, retargeting pixels, behavioral tracking scripts, third-party analytics SDKs, social media trackers, or any form of surveillance-grade web analytics.
  • Google Analytics (GA4) is used solely in aggregate, anonymized form for traffic source analysis. IP anonymization is enforced. No cross-device tracking or advertising profiles are built.

Article IV — Purpose of Processing (Need-to-Know Basis)

All processing of Client data is governed by the principle of strict purpose limitation. Data collected for one engagement shall not be repurposed, cross-used, or amalgamated for any other engagement without express written consent. The authorized purposes of processing are:

  • Risk Mitigation: Identification, profiling, and neutralization of threats to Client assets, reputation, operations, and personnel.
  • Threat Forecasting: Predictive modeling, macro-financial forensics, geopolitical risk modeling, and scenario planning for strategic decision-making.
  • Legal Admissibility: Preparation of forensic reports, chain-of-custody documentation, and evidentiary packages to the standard required for Indian court proceedings or regulatory submissions.
  • Statutory & Structural Intelligence: Analysis of regulatory exposure, corporate governance deficiencies, and statutory compliance risk.

Absolute Prohibition: RiskFortress does not sell, trade, barter, license, rent, commercially exploit, or otherwise transfer Client data to any third party for commercial gain under any circumstances. This prohibition is unconditional and survives termination of any engagement.

Article V — Data Processing, Localization & AI Usage

5(a) — Compliance Standards

All data processing operations comply with the Digital Personal Data Protection (DPDP) Act 2023, the Information Technology Act 2000 (as amended), IT (SPDI) Rules 2011, and maintain SOC2-grade operational expectations for data handling, access control, and audit trails.

5(b) — Zero-Disclosure Clause & Absolute AI Training Prohibition

ZERO-DISCLOSURE ARCHITECTURE: All Client data — including Confidential Client Threat Models, Enterprise Telemetry Data, intake submissions, engagement communications, forensic artifacts, and analytical outputs — is processed within strictly siloed, single-tenant logical environments. Client data is never aggregated, pooled, anonymised-and-released, sold, syndicated, brokered, shared with marketing partners, used for benchmarking against other clients, or disclosed to any third party for any commercial, analytical, or research purpose whatsoever.

UNCONDITIONAL AI-TRAINING PROHIBITION: No Client forensic data, network intelligence logs, intelligence reports, engagement communications, analytical outputs, prompts, or derivative artifacts of any nature whatsoever will EVER be used — directly or indirectly — to train, fine-tune, benchmark, evaluate, RLHF, distill, or otherwise improve any internal or third-party artificial intelligence, machine learning, large language model, foundation model, embedding model, or automated decision-making system. This prohibition is absolute, unconditional, irrevocable, and survives indefinitely beyond the termination of any engagement.

5(c) — Role-Based Access Control (RBAC)

Client data is accessible exclusively to personnel with a direct, documented operational need on the specific engagement for which the data was collected. RiskFortress maintains:

  • Granular Role-Based Access Control (RBAC) protocols enforced at system level.
  • Immutable access logs maintained for all data access events, retained for 7 years.
  • Quarterly internal access audits and mandatory access revocation upon engagement closure.
  • Zero-trust architecture applied to all internal data access pathways.

5(d) — Data Localization

All Client data is processed and stored on India-based infrastructure wherever technically feasible, in compliance with DPDP Act 2023 data localization principles. Any cross-border transfer occurs only to jurisdictions notified under the DPDP Act Schedule and is governed by contractual safeguards including Standard Contractual Clauses equivalent or binding processing agreements.

Article VI — Data Retention & Digital Shredding

6.1 — Retention Period (Tiered)

  • (a) Confidential Client Threat Models: Retained only for the active duration of the engagement plus thirty (30) days post-termination for orderly handover. Thereafter, threat-model artifacts are cryptographically purged from primary, replica, and backup storage tiers.
  • (b) Enterprise Telemetry Data & Network Intelligence Logs: Retained for a maximum of ninety (90) days from collection in operational systems, after which they are aggregated into immutable forensic-evidence packages (where contractually required) or securely destroyed.
  • (c) Final Intelligence Reports & Chain-of-Custody Records: Retained for seven (7) years consistent with the Limitation Act, 1963, solely to defend the integrity of past deliverables.
  • (d) Statutory & Tax Records: Retained per the minimum periods mandated under Indian tax, corporate, and AML statutes.
  • (e) Marketing & Website Logs: Aggregated, non-identifying analytics retained for a maximum of twenty-four (24) months.

6.2 — Encryption, Air-Gapped Storage & Cryptographic Purge

All Client artifacts are encrypted in transit using TLS 1.3 (or higher) and at rest using AES-256-GCM with per-engagement key isolation. Threat models, telemetry payloads, and forensic evidence are stored in air-gapped, hardware-segregated repositories with strict break-glass access controls. Decryption keys are managed under a Hardware Security Module (HSM) policy with quorum-controlled custody.

Systematic destruction follows a multi-stage protocol: (i) cryptographic erasure of per-engagement keys (rendering ciphertext unrecoverable); (ii) DoD 5220.22-M / NIST SP 800-88 Rev.1 multi-pass overwrite of underlying media where applicable; (iii) propagation of deletion across replicas, backups, snapshots, and disaster-recovery tiers; (iv) issuance of a signed Certificate of Destruction within ten (10) business days of completion.

6.3 — Certificate of Destruction

Upon completion of the retention period or Client request for erasure, RiskFortress issues a formal Certificate of Destruction confirming secure deletion of all Client data from active systems, archives, and backups within the technically feasible scope.

6.4 — Data Breach Notification

In the event of a confirmed or reasonably suspected data breach, RiskFortress will: (a) notify the Data Protection Board of India in accordance with DPDP Act 2023 mandates; and (b) notify all affected Data Principals — within 72 hours of becoming aware of the breach. Notification shall include: the nature and scope of the breach, categories of data affected, likely consequences, and remedial measures taken or proposed. A formal Breach Register is maintained and available for regulatory inspection.

Article VII — Disclosure to Third Parties & Law Enforcement

RiskFortress maintains an absolute policy of non-disclosure of Client information to any third party, governmental authority, law enforcement body, or regulatory agency absent a lawful mandate. Specifically:

  • Disclosure occurs only pursuant to a valid court order, judicial process, or statutory mandate issued by a competent authority under Indian law.
  • RiskFortress does not voluntarily disclose Client information to police, investigative agencies, or regulatory bodies without lawful compulsion.
  • Where legally permissible, the affected Client will be notified prior to any disclosure to allow exercise of legal remedies including injunctions or appeals.
  • Comprehensive logs of all disclosure demands, responses, and disclosures are maintained and available for Client review upon lawful request.
  • RiskFortress reserves the right to challenge any disclosure demand that appears overbroad, disproportionate, or lacking lawful basis before a competent court.

Article VIII — Lawful Basis & Consent

RiskFortress processes personal data on the following lawful bases under the Digital Personal Data Protection Act, 2023:

  • (a) Consent: Freely given, specific, informed, and unambiguous consent obtained from the Data Principal prior to engagement commencement, via our secure intake form checkbox mechanism and/or written engagement confirmation.
  • (b) Legitimate Interests: Processing necessary for the legitimate interests of RiskFortress as Data Fiduciary, provided such interests do not override the fundamental rights of the Data Principal.
  • (c) Legal Obligations: Processing required for compliance with applicable Indian law, court orders, or regulatory obligations.

Consent may be withdrawn at any time by written notice to legal@riskfortress.in (with copy to compliance@mayalok.com). Withdrawal is effective from the date of receipt and does not affect the lawfulness of prior processing. Withdrawal requests are processed within 30 days of receipt.

Article IX — Data Principal Rights

Under the Digital Personal Data Protection Act, 2023, each Data Principal possesses the following rights, exercisable by written request to our Grievance Redressal Officer:

  1. Right to Confirmation & Access: Confirmation of whether personal data is being processed and access to a summary of data held and processing activities.
  2. Right to Correction & Erasure: Correction of inaccurate or outdated personal data and erasure where retention is no longer justified by lawful purpose.
  3. Right to Grievance Redressal: Access to a functional grievance mechanism with defined response timelines.
  4. Right to Nomination: Nomination of another individual to exercise rights in the event of the Data Principal’s death or incapacity.
  5. Right to Withdraw Consent: Withdrawal of consent at any time without prejudice to prior lawful processing, effective within 30 days of written request.
  6. Right to Approach the Board: Filing a complaint with the Data Protection Board of India where the Data Principal is dissatisfied with RiskFortress’s response.

Article X — Grievance Redressal Officer

Name: Kunal Pratap Singh

Designation: Founder & Data Protection Officer

Organization: RiskFortress Intelligence (A Mayalok Ventures Entity)

Primary Contact: legal@riskfortress.in

Compliance Escalation: compliance@mayalok.com

Address: Pari Chowk, Greater Noida, Uttar Pradesh 201310, India

Response SLA: Acknowledged within 48 hours of receipt. Resolution within 30 days.

Article X(A) — International Compliance & GDPR Equivalency

For Data Principals located in the European Economic Area, the United Kingdom, Switzerland, or any jurisdiction with substantively equivalent personal-data legislation, RiskFortress voluntarily extends the following GDPR-equivalent protections in addition to its DPDP Act 2023 obligations:

  • 10A.1 — Lawful Basis Mapping: Article 6 GDPR grounds (consent, contract, legal obligation, vital interests, public task, legitimate interests) and, where applicable, Article 9 GDPR special-category safeguards are documented per engagement.
  • 10A.2 — Data Subject Rights: The rights of access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, objection, and the right not to be subject to solely automated decision-making (Articles 15–22 GDPR) are honoured on parity with rights granted to Data Principals under the DPDP Act.
  • 10A.3 — Cross-Border Transfers: Any transfer of personal data outside India to a non-adequate jurisdiction is governed by EU-Commission-approved Standard Contractual Clauses (SCCs), UK International Data Transfer Addendum, or equivalent safeguard, supplemented by transfer impact assessments where required by Schrems II case law.
  • 10A.4 — EU Representative & Lead Supervisory Authority: Where Article 27 GDPR triggers, RiskFortress will designate an EU representative and identify a lead supervisory authority on request to compliance@mayalok.com.
  • 10A.5 — Personal Data Breach Notification: In addition to the 72-hour DPDP notification commitment, GDPR-Article-33 breach reporting timelines apply to in-scope EEA Data Principals; affected individuals are notified without undue delay where Article 34 thresholds are met.
  • 10A.6 — Sector-Adjacent Frameworks: Engagements involving regulated industries reference, where contractually scoped, HIPAA, GLBA, PCI-DSS, ISO/IEC 27001, ISO/IEC 27701, and SOC 2 Type II controls.

To the extent any provision of this Protocol affords a lower standard of protection than the DPDP Act, GDPR, or any other applicable data-protection statute, the higher statutory standard shall prevail and is deemed incorporated by reference.

Article XI — Amendments & Governing Law

RiskFortress reserves the right to amend, update, or revise this Privacy & Data Sovereignty Protocol at any time. Material amendments shall be communicated to active Clients no less than 30 days prior to the effective date via registered email or the secure client portal. Continued engagement following the effective date of any amendment constitutes acceptance thereof.

This Protocol is governed by, and construed in accordance with, the laws of the Republic of India. All disputes arising out of or in connection with this Protocol shall be subject to the exclusive jurisdiction of courts at Greater Noida, Uttar Pradesh, without prejudice to RiskFortress’s right to seek emergency injunctive relief before any court of competent jurisdiction.